Do not store LAN Manager hash value on next password change

Hi, I have been monitoring the netlogon logs and so far there are no indications of LM usage. I have a few questions around switching this setting on though. What is the backout for this if you switch it on a bunch of accounts change their passwords and something comes out of the woodwork? Restoring the user object? Also presumably this is replicated change ie you cant security filter the setting so that one DC has the LM hash and another doesnt.

Subject: [ActiveDir] Do not store LAN Manager hash value on next password change

Hi, I have been monitoring the netlogon logs and so far there are no indications of LM usage. I have a few questions around switching this setting on though. What is the backout for this if you switch it on a bunch of accounts change their passwords and

something comes out of the woodwork? Restoring the user object? Also presumably this is replicated change ie you cant security filter the setting so that one DC has the LM hash and another doesnt.

It almost certainly wont be in use but I still need a back out plan for the change control. And it wouldnt be the first time some obscure non MS application came out of the woodwork to bite us in the ass.

It almost certainly wont be in use but I still need a back out plan for the change control. And it wouldnt be the first time some obscure non MS application came out of the woodwork to bite us in the ass.

It almost certainly wont be in use but I still need a back out plan for the change control. And it wouldnt be the first time some obscure non MS application came out of the woodwork to bite us in the ass.

When you enable this setting to not have the hash stored, does it clear the existing stores hash? If not, does each account need to go through a password change to get rid of the hashes? Is there a manual way to clear the hashes?Thanks,-RaviOn Feb 9, 2017 9:30 AM, "Carneiro, Smita A." <carneiro@xxxxxxxxxxxxxxxx> wrote:

Can you audit this before switching it off? I know you can audit NTLM.

It almost certainly wont be in use but I still need a back out plan for the change control. And it wouldnt be the first time some obscure non MS application came out of the woodwork to bite us in the ass.

The hashes do not get cleared, they just don’t get updated on the next password change/set. The old LM hash remains as long as the object remains, new objects created after this setting simply have the null AAD3B435B51404EE value if I re-call correctly.

Sent: den 10 februari 2017 13:04To: ActiveDir@xxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Do not store LAN Manager hash value on next password change When you enable this setting to not have the hash stored, does it clear the existing stores hash? If not, does each account need to go through a password change to get rid of the hashes? Is there a manual way to clear the hashes? Thanks,-Ravi On Feb 9, 2017 9:30 AM, "Carneiro, Smita A." <carneiro@xxxxxxxxxxxxxxxx> wrote:Can you audit this before switching it off? I know you can audit NTLM. Smita Carneiro, GCWNActive Directory Systems EngineerIT Security and PolicyRoss Enterprise Center3495 Kent Avenue, Suite 100West Lafayette, IN 47906 From: ActiveDir-owner@xxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx] On Behalf Of martyn78@xxxxxxxxxxxxxxxxSent: Tuesday, February 7, 2017 9:39 AMTo: activedir@xxxxxxxxxxxxxxxxSubject: re: [ActiveDir] Do not store LAN Manager hash value on next password change It almost certainly wont be in use but I still need a back out plan for the change control. And it wouldnt be the first time some obscure non MS application came out of the woodwork to bite us in the ass.------------------------------------------------------------------------------------This message was posted over our web site http://www.activedir.org/thread/do-not-store-lan-manager-hash-value-on-next-password-change/You can still reply to this thread by email and also over the web site.Tip: You can mark this post as the 'solution' if so desired using the above link.Forum info: http://www.activedir.org Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx

The hashes do not get cleared, they just don’t get updated on the next password change/set. The old LM hash remains as long as the object remains, new objects created after this setting simply have the null AAD3B435B51404EE value if I re-call correctly.

So is it reversible? ie you disable the GPO setting does LM hash get updated/created on subsequent password change?

Sent: den 10 februari 2017 13:04To: ActiveDir@xxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Do not store LAN Manager hash value on next password change When you enable this setting to not have the hash stored, does it clear the existing stores hash? If not, does each account need to go through a password change to get rid of the hashes? Is there a manual way to clear the hashes? Thanks,-Ravi On Feb 9, 2017 9:30 AM, "Carneiro, Smita A." <carneiro@xxxxxxxxxxxxxxxx> wrote:Can you audit this before switching it off? I know you can audit NTLM. Smita Carneiro, GCWNActive Directory Systems EngineerIT Security and PolicyRoss Enterprise Center3495 Kent Avenue, Suite 100West Lafayette, IN 47906 From: ActiveDir-owner@xxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx] On Behalf Of martyn78@xxxxxxxxxxxxxxxxSent: Tuesday, February 7, 2017 9:39 AMTo: activedir@xxxxxxxxxxxxxxxxSubject: re: [ActiveDir] Do not store LAN Manager hash value on next password change It almost certainly wont be in use but I still need a back out plan for the change control. And it wouldnt be the first time some obscure non MS application came out of the woodwork to bite us in the ass.------------------------------------------------------------------------------------This message was posted over our web site http://www.activedir.org/thread/do-not-store-lan-manager-hash-value-on-next-password-change/You can still reply to this thread by email and also over the web site.Tip: You can mark this post as the 'solution' if so desired using the above link.Forum info: http://www.activedir.org Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx

Yes. But the LMHash will then be out-of-sync but will be updated again on the next password change.

Sent: den 13 februari 2017 10:47To: activedir@xxxxxxxxxxxxxxxxSubject: re: [ActiveDir] Do not store LAN Manager hash value on next password change The hashes do not get cleared, they just don’t get updated on the next password change/set. The old LM hash remains as long as the object remains, new objects created after this setting simply have the null AAD3B435B51404EE value if I re-call correctly. So is it reversible? ie you disable the GPO setting does LM hash get updated/created on subsequent password change?Sent: den 10 februari 2017 13:04To: ActiveDir@xxxxxxxxxxxxxxxxSubject: RE: [ActiveDir] Do not store LAN Manager hash value on next password change When you enable this setting to not have the hash stored, does it clear the existing stores hash? If not, does each account need to go through a password change to get rid of the hashes? Is there a manual way to clear the hashes? Thanks,-Ravi On Feb 9, 2017 9:30 AM, "Carneiro, Smita A." <carneiro@xxxxxxxxxxxxxxxx> wrote:Can you audit this before switching it off? I know you can audit NTLM. Smita Carneiro, GCWNActive Directory Systems EngineerIT Security and PolicyRoss Enterprise Center3495 Kent Avenue, Suite 100West Lafayette, IN 47906 From: ActiveDir-owner@xxxxxxxxxxxxxxxx [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxx] On Behalf Of martyn78@xxxxxxxxxxxxxxxxSent: Tuesday, February 7, 2017 9:39 AMTo: activedir@xxxxxxxxxxxxxxxxSubject: re: [ActiveDir] Do not store LAN Manager hash value on next password change It almost certainly wont be in use but I still need a back out plan for the change control. And it wouldnt be the first time some obscure non MS application came out of the woodwork to bite us in the ass.------------------------------------------------------------------------------------This message was posted over our web site http://www.activedir.org/thread/do-not-store-lan-manager-hash-value-on-next-password-change/You can still reply to this thread by email and also over the web site.Tip: You can mark this post as the 'solution' if so desired using the above link.Forum info: http://www.activedir.org Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx ------------------------------------------------------------------------------------This message was posted over our web site http://www.activedir.org/thread/do-not-store-lan-manager-hash-value-on-next-password-change/You can still reply to this thread by email and also over the web site.Tip: You can mark this post as the 'solution' if so desired using the above link.Forum info: http://www.activedir.org Problems unsubscribing? Email admin@xxxxxxxxxxxxxxxx